what are the security implications?

It's not spyware as your system is not uniquely identifiable. Once a blue moon this nonsense turns up. The search in Dash is sent to Amazon and results come back. Nothing more. No name, address, hostname, MAC address or anything else you can think of it is sent to Amazon so you are not identifiable.

Furthermore the feature is not only removable and optional by removing the shopping lens and rebooting, but it is also only in one of the 5 official versions of Ubuntu.

Sorry Andrew, but your view on this is rather naive. The fact that there is no obvious ID included in the request does not make the user unidentifiable. In fact the IP address is enough to reduce the number of persons in question to one household, in most cases to just one.
The integration and activation of this function without explicit user permission is violating the German privacy laws, arguable even a violation of the German Penal Code. Most likely the laws of all EU nations due to EU law harmonization. The fact that it can be deactivated or uninstalled does not change that.

In other words: Yes, it is spyware, not the most aggressive type, but it is.

We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err.

Unquote

You send data to canonical not amazon. Canonical do not keep a database of searches and all amazon can do is keep a log of searches from the canonical server.

Not naive at all. Try knows what he is on about.

To reiterate, it's totally removable and kubuntu, xubuntu, lubuntu and medibuntu do not even use it.